ProBackend
cybersecurity
2 hours ago2 min read

When Efficiency Becomes a Weapon: Inside the HTTP/2 Rapid Reset Attack

HTTP/2's multiplexing was supposed to make the web faster. Instead, it gave attackers a way to turn every connection into a weapon — and organizations with large distributed footprints are paying the price.

Cypress Moretti

I've sat in war rooms while dashboards lit up red and watched senior engineers scramble to figure out why a single TCP connection was eating 40% of a server's CPU. It wasn't a volumetric flood. It wasn't even that much traffic by bandwidth standards. What we were looking at was something far more insidious — a protocol-level exploit that turned the web's greatest efficiency feature into a weapon.

That was before CVE-2023-44487, the HTTP/2 Rapid Reset attack, became public knowledge. Now we know exactly what happened in those war rooms: attackers weren't flooding your network with garbage data. They were abusing a legitimate protocol mechanism — the RST_STREAM frame — to make your servers do expensive work on requests that never actually existed.

Here's the thing most teams get wrong. They think DDoS protection is about bandwidth. It isn't, not anymore. The HTTP/2 Rapid Reset attack peaked at over 398 million requests per second against Google's infrastructure, according to their own blog. But that traffic didn't come from a botnet of thousands of compromised devices pumping out megabits. It came from attackers who understood something about HTTP/2 that most operators don't: every stream you open costs you memory, CPU cycles for header parsing, and connection table entries. And if you can cancel those streams faster than your server can process them, you've found a free lunch — except the lunch is your availability.

This isn't theoretical. Dark Reading reported that telcos and healthcare providers were hit hard, with some carriers seeing attack traffic exceeding 50,000 RST_STREAM frames per second. These aren't organizations that can afford downtime. They're the ones keeping hospitals running and phones working.

For a deeper look at how this vulnerability specifically impacts distributed infrastructure in healthcare and telecommunications, see our coverage on HTTP/2 Rapid Reset: Protecting Distributed Infrastructure.

The Connection That Kills

Sources: Dark Reading – HTTP/2 Bomb Attacks Hit Telcos and Healthcare | Google Cloud Blog – How It Works: The Novel HTTP/2 Rapid Reset DDoS Attack | BleepingComputer – HTTP/2 Rapid Reset Attack Exploited in Zero-Day DDoS Campaigns

Related blogs

cybersecurity

Ivanti's Sentry Just Got a New Root Access Backdoor — And It's Worse Than You Think

Ivanti patched two critical Sentry flaws: a maximum-severity command injection for root RCE and an authentication bypass for rogue admin accounts.

4 hours ago · 5 mincybersecurity

Cybersecurity's Double Bind: AI Makes the Job Harder While Demand for CISOs Rises

A new ISSA/Omdia survey reveals that 68% of cybersecurity professionals find their jobs harder than two years ago as AI adoption and shadow IT create new visibility gaps. Full-time CISO roles have dropped from 76% to 63%, while fractional CISO engagements have surged from 6% to 15%. Despite the stress, demand for cybersecurity expertise continues growing — particularly among smaller companies needing cyber insurance compliance.

5 hours ago · 9 mincybersecurity

CISOs Are Drowning in AI Threats — And Nobody's Hiring Enough People to Help

AI is making cybersecurity harder, faster, and more exhausting for CISOs. Yet companies keep demanding more security talent instead of fixing the workload crisis. Here's what's really going wrong — and what smart leaders are doing about it.

6 hours ago · 6 min